diff options
| author | pluralcafe-docker <git@plural.cafe> | 2018-12-27 21:35:47 +0000 |
|---|---|---|
| committer | pluralcafe-docker <git@plural.cafe> | 2018-12-27 21:35:47 +0000 |
| commit | 797a8429a0deb511e6d6092edad39f856231534e (patch) | |
| tree | 6e44d3c2a5a662dfc4e4087fdc391b8e7bb41dba /spec/policies | |
| parent | 94894b8a6ad1247306497dc8c0c47d52a8a2f72c (diff) | |
| parent | f349fe2159fb36e598263f2797f041417ef7c2da (diff) | |
Merge branch 'glitch'
Diffstat (limited to 'spec/policies')
| -rw-r--r-- | spec/policies/account_moderation_note_policy_spec.rb | 52 | ||||
| -rw-r--r-- | spec/policies/account_policy_spec.rb | 86 | ||||
| -rw-r--r-- | spec/policies/backup_policy_spec.rb | 45 | ||||
| -rw-r--r-- | spec/policies/custom_emoji_policy_spec.rb | 38 | ||||
| -rw-r--r-- | spec/policies/domain_block_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/email_domain_block_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/instance_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/invite_policy_spec.rb | 94 | ||||
| -rw-r--r-- | spec/policies/relay_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/report_note_policy_spec.rb | 48 | ||||
| -rw-r--r-- | spec/policies/report_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/settings_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/status_policy_spec.rb | 28 | ||||
| -rw-r--r-- | spec/policies/subscription_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/tag_policy_spec.rb | 24 | ||||
| -rw-r--r-- | spec/policies/user_policy_spec.rb | 167 |
16 files changed, 750 insertions, 0 deletions
diff --git a/spec/policies/account_moderation_note_policy_spec.rb b/spec/policies/account_moderation_note_policy_spec.rb new file mode 100644 index 000000000..bb7af94e4 --- /dev/null +++ b/spec/policies/account_moderation_note_policy_spec.rb @@ -0,0 +1,52 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe AccountModerationNotePolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :create? do + context 'staff' do + it 'grants to create' do + expect(subject).to permit(admin, AccountModerationNotePolicy) + end + end + + context 'not staff' do + it 'denies to create' do + expect(subject).to_not permit(john, AccountModerationNotePolicy) + end + end + end + + permissions :destroy? do + let(:account_moderation_note) do + Fabricate(:account_moderation_note, + account: john, + target_account: Fabricate(:account)) + end + + context 'admin' do + it 'grants to destroy' do + expect(subject).to permit(admin, AccountModerationNotePolicy) + end + end + + context 'owner' do + it 'grants to destroy' do + expect(subject).to permit(john, account_moderation_note) + end + end + + context 'neither admin nor owner' do + let(:kevin) { Fabricate(:user).account } + + it 'denies to destroy' do + expect(subject).to_not permit(kevin, account_moderation_note) + end + end + end +end diff --git a/spec/policies/account_policy_spec.rb b/spec/policies/account_policy_spec.rb new file mode 100644 index 000000000..6648b0888 --- /dev/null +++ b/spec/policies/account_policy_spec.rb @@ -0,0 +1,86 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe AccountPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :show?, :unsuspend?, :unsilence?, :remove_avatar?, :remove_header? do + context 'staff' do + it 'permits' do + expect(subject).to permit(admin) + end + end + + context 'not staff' do + it 'denies' do + expect(subject).to_not permit(john) + end + end + end + + permissions :redownload?, :subscribe?, :unsubscribe? do + context 'admin' do + it 'permits' do + expect(subject).to permit(admin) + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john) + end + end + end + + permissions :suspend?, :silence? do + let(:staff) { Fabricate(:user, admin: true).account } + + context 'staff' do + context 'record is staff' do + it 'denies' do + expect(subject).to_not permit(admin, staff) + end + end + + context 'record is not staff' do + it 'permits' do + expect(subject).to permit(admin, john) + end + end + end + + context 'not staff' do + it 'denies' do + expect(subject).to_not permit(john, Account) + end + end + end + + permissions :memorialize? do + let(:other_admin) { Fabricate(:user, admin: true).account } + + context 'admin' do + context 'record is admin' do + it 'denies' do + expect(subject).to_not permit(admin, other_admin) + end + end + + context 'record is not admin' do + it 'permits' do + expect(subject).to permit(admin, john) + end + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john, Account) + end + end + end +end diff --git a/spec/policies/backup_policy_spec.rb b/spec/policies/backup_policy_spec.rb new file mode 100644 index 000000000..80407e12f --- /dev/null +++ b/spec/policies/backup_policy_spec.rb @@ -0,0 +1,45 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe BackupPolicy do + let(:subject) { described_class } + let(:john) { Fabricate(:user).account } + + permissions :create? do + context 'not user_signed_in?' do + it 'denies' do + expect(subject).to_not permit(nil, Backup) + end + end + + context 'user_signed_in?' do + context 'no backups' do + it 'permits' do + expect(subject).to permit(john, Backup) + end + end + + context 'backups are too old' do + it 'permits' do + travel(-8.days) do + Fabricate(:backup, user: john.user) + end + + expect(subject).to permit(john, Backup) + end + end + + context 'backups are newer' do + it 'denies' do + travel(-3.days) do + Fabricate(:backup, user: john.user) + end + + expect(subject).to_not permit(john, Backup) + end + end + end + end +end diff --git a/spec/policies/custom_emoji_policy_spec.rb b/spec/policies/custom_emoji_policy_spec.rb new file mode 100644 index 000000000..8def88212 --- /dev/null +++ b/spec/policies/custom_emoji_policy_spec.rb @@ -0,0 +1,38 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe CustomEmojiPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :enable?, :disable? do + context 'staff' do + it 'permits' do + expect(subject).to permit(admin, CustomEmoji) + end + end + + context 'not staff' do + it 'denies' do + expect(subject).to_not permit(john, CustomEmoji) + end + end + end + + permissions :create?, :update?, :copy?, :destroy? do + context 'admin' do + it 'permits' do + expect(subject).to permit(admin, CustomEmoji) + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john, CustomEmoji) + end + end + end +end diff --git a/spec/policies/domain_block_policy_spec.rb b/spec/policies/domain_block_policy_spec.rb new file mode 100644 index 000000000..aea50ec0f --- /dev/null +++ b/spec/policies/domain_block_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe DomainBlockPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :show?, :create?, :destroy? do + context 'admin' do + it 'permits' do + expect(subject).to permit(admin, DomainBlock) + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john, DomainBlock) + end + end + end +end diff --git a/spec/policies/email_domain_block_policy_spec.rb b/spec/policies/email_domain_block_policy_spec.rb new file mode 100644 index 000000000..a3e825e07 --- /dev/null +++ b/spec/policies/email_domain_block_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe EmailDomainBlockPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :create?, :destroy? do + context 'admin' do + it 'permits' do + expect(subject).to permit(admin, EmailDomainBlock) + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john, EmailDomainBlock) + end + end + end +end diff --git a/spec/policies/instance_policy_spec.rb b/spec/policies/instance_policy_spec.rb new file mode 100644 index 000000000..fbfddd72f --- /dev/null +++ b/spec/policies/instance_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe InstancePolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :resubscribe? do + context 'admin' do + it 'permits' do + expect(subject).to permit(admin, Instance) + end + end + + context 'not admin' do + it 'denies' do + expect(subject).to_not permit(john, Instance) + end + end + end +end diff --git a/spec/policies/invite_policy_spec.rb b/spec/policies/invite_policy_spec.rb new file mode 100644 index 000000000..e391455be --- /dev/null +++ b/spec/policies/invite_policy_spec.rb @@ -0,0 +1,94 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe InvitePolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index? do + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, Invite) + end + end + end + + permissions :create? do + context 'min_required_role?' do + it 'permits' do + allow_any_instance_of(described_class).to receive(:min_required_role?) { true } + expect(subject).to permit(john, Invite) + end + end + + context 'not min_required_role?' do + it 'denies' do + allow_any_instance_of(described_class).to receive(:min_required_role?) { false } + expect(subject).to_not permit(john, Invite) + end + end + end + + permissions :deactivate_all? do + context 'admin?' do + it 'permits' do + expect(subject).to permit(admin, Invite) + end + end + + context 'not admin?' do + it 'denies' do + expect(subject).to_not permit(john, Invite) + end + end + end + + permissions :destroy? do + context 'owner?' do + it 'permits' do + expect(subject).to permit(john, Fabricate(:invite, user: john.user)) + end + end + + context 'not owner?' do + context 'Setting.min_invite_role == "admin"' do + before do + Setting.min_invite_role = 'admin' + end + + context 'admin?' do + it 'permits' do + expect(subject).to permit(admin, Fabricate(:invite)) + end + end + + context 'not admin?' do + it 'denies' do + expect(subject).to_not permit(john, Fabricate(:invite)) + end + end + end + + context 'Setting.min_invite_role != "admin"' do + before do + Setting.min_invite_role = 'else' + end + + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, Fabricate(:invite)) + end + end + + context 'not staff?' do + it 'denies' do + expect(subject).to_not permit(john, Fabricate(:invite)) + end + end + end + end + end +end diff --git a/spec/policies/relay_policy_spec.rb b/spec/policies/relay_policy_spec.rb new file mode 100644 index 000000000..640f27d54 --- /dev/null +++ b/spec/policies/relay_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe RelayPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :update? do + context 'admin?' do + it 'permits' do + expect(subject).to permit(admin, Relay) + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, Relay) + end + end + end +end diff --git a/spec/policies/report_note_policy_spec.rb b/spec/policies/report_note_policy_spec.rb new file mode 100644 index 000000000..596d7d7a9 --- /dev/null +++ b/spec/policies/report_note_policy_spec.rb @@ -0,0 +1,48 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe ReportNotePolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :create? do + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, ReportNote) + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, ReportNote) + end + end + end + + permissions :destroy? do + context 'admin?' do + it 'permit' do + expect(subject).to permit(admin, ReportNote) + end + end + + context 'admin?' do + context 'owner?' do + it 'permit' do + report_note = Fabricate(:report_note, account: john) + expect(subject).to permit(john, report_note) + end + end + + context '!owner?' do + it 'denies' do + report_note = Fabricate(:report_note) + expect(subject).to_not permit(john, report_note) + end + end + end + end +end diff --git a/spec/policies/report_policy_spec.rb b/spec/policies/report_policy_spec.rb new file mode 100644 index 000000000..c9ae1e87a --- /dev/null +++ b/spec/policies/report_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe ReportPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :update?, :index?, :show? do + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, Report) + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, Report) + end + end + end +end diff --git a/spec/policies/settings_policy_spec.rb b/spec/policies/settings_policy_spec.rb new file mode 100644 index 000000000..92f1f4869 --- /dev/null +++ b/spec/policies/settings_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe SettingsPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :update?, :show? do + context 'admin?' do + it 'permits' do + expect(subject).to permit(admin, Settings) + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, Settings) + end + end + end +end diff --git a/spec/policies/status_policy_spec.rb b/spec/policies/status_policy_spec.rb index 837fa9cee..8bce29cad 100644 --- a/spec/policies/status_policy_spec.rb +++ b/spec/policies/status_policy_spec.rb @@ -1,3 +1,5 @@ +# frozen_string_literal: true + require 'rails_helper' require 'pundit/rspec' @@ -118,4 +120,30 @@ RSpec.describe StatusPolicy, type: :model do expect(subject).to_not permit(nil, status) end end + + permissions :favourite? do + it 'grants access when viewer is not blocked' do + follow = Fabricate(:follow) + status.account = follow.target_account + + expect(subject).to permit(follow.account, status) + end + + it 'denies when viewer is blocked' do + block = Fabricate(:block) + status.account = block.target_account + + expect(subject).to_not permit(block.account, status) + end + end + + permissions :index?, :update? do + it 'grants access if staff' do + expect(subject).to permit(admin.account) + end + + it 'denies access unless staff' do + expect(subject).to_not permit(alice) + end + end end diff --git a/spec/policies/subscription_policy_spec.rb b/spec/policies/subscription_policy_spec.rb new file mode 100644 index 000000000..21d60c15f --- /dev/null +++ b/spec/policies/subscription_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe SubscriptionPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index? do + context 'admin?' do + it 'permits' do + expect(subject).to permit(admin, Subscription) + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, Subscription) + end + end + end +end diff --git a/spec/policies/tag_policy_spec.rb b/spec/policies/tag_policy_spec.rb new file mode 100644 index 000000000..c7afaa7c9 --- /dev/null +++ b/spec/policies/tag_policy_spec.rb @@ -0,0 +1,24 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe TagPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :index?, :hide?, :unhide? do + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, Tag) + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, Tag) + end + end + end +end diff --git a/spec/policies/user_policy_spec.rb b/spec/policies/user_policy_spec.rb new file mode 100644 index 000000000..e37904f04 --- /dev/null +++ b/spec/policies/user_policy_spec.rb @@ -0,0 +1,167 @@ +# frozen_string_literal: true + +require 'rails_helper' +require 'pundit/rspec' + +RSpec.describe UserPolicy do + let(:subject) { described_class } + let(:admin) { Fabricate(:user, admin: true).account } + let(:john) { Fabricate(:user).account } + + permissions :reset_password?, :change_email? do + context 'staff?' do + context '!record.staff?' do + it 'permits' do + expect(subject).to permit(admin, john.user) + end + end + + context 'record.staff?' do + it 'denies' do + expect(subject).to_not permit(admin, admin.user) + end + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :disable_2fa? do + context 'admin?' do + context '!record.staff?' do + it 'permits' do + expect(subject).to permit(admin, john.user) + end + end + + context 'record.staff?' do + it 'denies' do + expect(subject).to_not permit(admin, admin.user) + end + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :confirm? do + context 'staff?' do + context '!record.confirmed?' do + it 'permits' do + john.user.update(confirmed_at: nil) + expect(subject).to permit(admin, john.user) + end + end + + context 'record.confirmed?' do + it 'denies' do + john.user.confirm! + expect(subject).to_not permit(admin, john.user) + end + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :enable? do + context 'staff?' do + it 'permits' do + expect(subject).to permit(admin, User) + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :disable? do + context 'staff?' do + context '!record.admin?' do + it 'permits' do + expect(subject).to permit(admin, john.user) + end + end + + context 'record.admin?' do + it 'denies' do + expect(subject).to_not permit(admin, admin.user) + end + end + end + + context '!staff?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :promote? do + context 'admin?' do + context 'promoteable?' do + it 'permits' do + expect(subject).to permit(admin, john.user) + end + end + + context '!promoteable?' do + it 'denies' do + expect(subject).to_not permit(admin, admin.user) + end + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end + + permissions :demote? do + context 'admin?' do + context '!record.admin?' do + context 'demoteable?' do + it 'permits' do + john.user.update(moderator: true) + expect(subject).to permit(admin, john.user) + end + end + + context '!demoteable?' do + it 'denies' do + expect(subject).to_not permit(admin, john.user) + end + end + end + + context 'record.admin?' do + it 'denies' do + expect(subject).to_not permit(admin, admin.user) + end + end + end + + context '!admin?' do + it 'denies' do + expect(subject).to_not permit(john, User) + end + end + end +end |